Criminals wielding a new strain of ransomware called Cr1ptT0r are targeting network-attached storage users.

The NAS-targeting ransomware campaign was first discovered in February after owners of D-Link DNS-320 network storage enclosures took to the forums of Bleeping Computer to report that their devices had been crypto-locked.

Sensing a business opportunity, attackers wielding Cr1ptT0r ransomware have come calling. Services such as Shodan allow would-be attackers to search for internet-connected devices that may sport known vulnerabilities, then target them directly (see: Hacked MicroTik Routers Serve Cryptocurrency-Mining Malware).

A basic Shodan search for internet-connected devices returns header information that includes "DNS-320," which is just one type of network attached storage device being targeted by attackers with Cr1ptT0r ransomware.

"While it is common for NAS devices to get swept up in a ransomware attack, Cr1ptT0r is unique in that the distributors have limited their attacks to just NAS devices," ransomware incident response firm Coveware says in a research report. "The distribution strategy stands in stark contrast to broadly distributed ransomware like GandCrab, where the developers appear to be focused on becoming the most prevalent strain of ransomware."

The GandCrab operation focuses on volume, partnering with malware-distribution gangs and giving the "affiliates" who infect victims a customized version of the crypto-locking code, then guaranteeing that for every victim who pays a ransom, the affiliate will receive a portion of the payment.

Source: Coveware

GandCrab victims must go to a TOR site to pay - in bitcoin or dash cryptocurrency - and receive a decryption tool. "The GandCrab TOR site is very reliable and delivers a decryptor tool if you pay," Coveware said in a recent research report.

For Cr1ptT0r, the business plan seems to focus not on volume but rather targeted attacks and one-size-fits-all simplicity.

"The developers of Cr1ptT0r are ... constraining distribution to a single device type, standardizing the extortion payment process - fixed prices for a device or a file - and keeping the decryption simple to minimize their support costs," Coveware says.

The Cr1ptT0r gang is targeting a number of types of D-Link devices that are connected to the internet in a manner that is not secure and that have known vulnerabilities or do not sport the latest firmware or security patches, Coveware CEO Bill Siegel tells Information Security Media Group.

Victims who pay the ransom must provide the Cr1ptT0r operator with the type and firmware version of their device. Then they receive a script to run to decrypt the files on their device, Coveware says, noting that restoration can take a long time. That's because unlike other ransomware, Cr1ptT0r is designed to encrypt absolutely everything on a device - everything, that is, except for the ransom note it leaves as well as a text file that adds a line to log every file on the device that it's encrypted until the final line reads "done."

No Free Decryptor

Coveware is part of the No More Ransom initiative, which provides free decryptors for many strains of ransomware. Thanks in no small part to security firm Bitdefender and Romanian Police, last month, No More Ransom released a free decryptor for many versions of GandCrab (see: Police Push Free Decryptor for GandCrab Ransomware).

Unfortunately, so far there's no free decryptor for Cr1ptT0r ransomware.

If victims are not using their NAS as their sole backup or supplemental storage device, they they can simply wipe the device and start over.

"If you are affected by Cr1ptT0r, at a minimum you should back up the data, format the drive and update the device," Coveware says. "Victims should not leave NAS devices open to the internet. Also, it should be noted that NAS devices that are not properly partitioned should not be used as backup devices. If there are no other options for recovering your data, paying the ransom should be the absolute last option."

Victims who do choose to pay, however, appear to be getting their data back.

"They [the attackers] are using full disk encryption, so while it is time consuming to decrypt, the keys provided work without damaging files," Coveware's Siegel says. "This is in contrast to a lot of branded ransomware, like Dharma and Ryuk, where the encryption process is very heavy and often corrupts certain files types and operating systems, leaving data recovery - even with a decryptor tool - impossible."

Essential Defenses

Coveware says that any business using NAS should ensure that at a minimum, they never directly expose any NAS device to the internet.

One way to restrict access is to first require users to access the network on which the NAS is sitting, for example, by using a remote desktop protocol connection.

Recently published research from Coveware found that when ransomware victims were able to pinpoint the source of their infection, 85 percent traced it to RDP, 14 percent to phishing and 2 percent to another form of social engineering.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.in, you agree to our use of cookies.